[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: windows authentication & openldap: explanation.

To: David Wright <ichbin@shadlen.org>
Subject: Re: windows authentication & openldap: explanation.
From: Christoph Neumann <enigma@apu.edu>
Date: Fri, 26 Jul 2002 16:32:38 -0700 (PDT)
Cc: brian jones <bj_rui@hotmail.com>, <openldap-software@OpenLDAP.org>, Patrick McCarty <mccartyp@apu.edu>, James Janssen <jjanssen@apu.edu>
In-reply-to: <Pine.LNX.4.44.0207261436140.17605-100000@herbie.shadlen.org>

Brian (Wright), what you mentioned is correct for the old-style windows
authentication with the old NT 4 and below systems.  (Actually, Win95 and
NT 3 systems did everything in clear text.)  Modern windows clients (2000,
XP) allow for much better authentication mechanisms such as Kerberos.  
OpenLDAP supports Kerberos authentication.

So, if you have to support WinME and Win9x clients, yes, you need Samba to
provide the old-style of Windows authentication.  However, the question
still stands:  Why can't one use OpenLDAP as a replacement for Active
Directory using a modern authentication scheme such as Kerberos?  I would
love to hear the answer to that question too.

In addition to the authentication problem, there is the authorization
problem.  Active Directory is used for authorization of such things as
user and group policies.  Microsoft clients lookup authorization related
fields in Active Directory when the user logs into the domain.  Some of
these fields have an undocumented format (such as ntSecurityDescriptor).  
I believe the authorization piece of Active Directory makes Active
Directory more difficult to replace then the authentication piece.

- Christoph

On Fri, 26 Jul 2002, David Wright wrote:

> 
> How Unix authentication works:
> 1. Server (or /etc/passwd) stores a hashed password, e.g. "{ROT-1}tfdsfu"
> 2. Client hands server the cleartext of the user input, e.g. "secret"
> 3. Server hashes the client user input and compares it with the stored
> hased password. If they match, it returns TRUE.
> 
> How Windows authentication works:
> 1. Server stores cleartext of the password, e.g. "secret".
> 2. Server sends client a challenge, e.g. "abcdef".
> 3. Client hashes the client input and the challenge together, e.g.
> "tgfvjz" and sends this response to the server.
> 4. Server hases the client input and the challenge together and compares
> to the client's response. If they match, it retuns TRUE.
> 
> The Windows authentication has the advantage that the cleartext password
> is never sent over the wire. It the the disadvantage that the server must
> store the cleartext password.
> 
> OpenLDAP is designed to store hashed passwords, as is the Unix tradition.
> Since Windows authentication would require storing cleartext passwords,
> OpenLDAP doesn't implement the challenge/response model of Windows
> authentication.
> 
> You can get around this limitation. You can store a hashed password in the
> userPassword attribute and have your Unix clients authenticate off it via
> LDAP. You can also store a cleartext password in the smbPassword attribute
> and tell Samba to get passwords from LDAP. Samba implements the Windows
> challenge/response model and your Windows clients can authenticate off it.
> 
> You then need to do some scheming to make sure that the userPassword and
> smbPassword attributes stay in sync.
> 
> That answer you question?
> 
> 
>

References:
- Re: windows authentication & openldap: explanation.
  - From: David Wright <ichbin@shadlen.org>

Prev by Date: userCertificate needs binary format
Next by Date: Re: FW: Application Error in slapd.exe on W2000
Index(es):
- Chronological
- Thread